Firewalls and intrusion detection systems

Bencsáth Boldizsár

 Firewalls  Intrusion detection systems (IDS)


) Introduction 3 . etc.Introduction – A firewall is a system or group of systems that enforces an access control policy between networks – Mostly the goal is to protect TCP/IP networks – Other possible firewalls: between applications on a windows environment. attacks Network management purposes (screening the traffic etc. – Functions: • • • • • • Blocking traffic Permitting traffic Enabling secure remote connections (VPN) Logging traffic Content filtering (blocking): viruses. java card firewalls.

g.Main goals The main goal of firewalling is – to control unnecessary services. invalid SMTP commands can be filtered) – to enable logging – to control the activity of internal users – every accessible point is a possible security hole: With firewalling we minimize the accessible points and we are making it more difficult to deploy an attack – we can make it more difficult to exploit the vulnerability: E.g. traffic – to hide our internal network topology and services – to protect against protocol errors (e. just a subnetwork/server 4 Introduction . with tftp denied it is more difficult to send files to the internet after an attack – we can separate the network to subnetworks: an intrusion will not compromise our whole system.

HTTP tunnels.Complete protection against intrusions: A single open port can be used to gain privileged access An application proxy might not stop attacking through badly formed parameters.Stopping information flow/leakage: Data can be leaked out even through DNS applications or e. etc. . It is very hard to protect against covert channels. An industry spy can use the telefax to transport secrets… 5 Introduction .A firewall is not good for… .g.

Packet filtering – disable access to unwanted services Port State 9/tcp open 13/tcp open 21/tcp open 22/tcp open 23/tcp open 25/tcp open 37/tcp open 79/tcp open 80/tcp open 109/tcp open 110/tcp open 139/tcp open 143/tcp open 515/tcp open 587/tcp open 1723/tcp open 3128/tcp open Service discard daytime ftp ssh telnet smtp time finger http pop-2 pop-3 netbios-ssn imap2 printer submission pptp squid-http Port 21/tcp 22/tcp 25/tcp 80/tcp 110/tcp 143/tcp State open open open open open open Service ftp ssh smtp http pop-3 imap2 squid- 3128/tcp filtered http Introduction 6 .

Packet filtering      Filtering based on network layer of the IP stack Filtering rules described in rule base Default permit / default deny design Most routers have packet filtering capabilities A good packet filter… Introduction -Permits connections to really-needed services -Also filters internal access – Most of the intrusions come from employees -Detects anomalies – TCP packet without SYN handshake etc. -Filters out all the services what we do not use currently (not only those we don’t want to show) -Hides internal network elements and architecture (NAT) -Filters services available to internal hosts (e.g. filter out streaming) Main problem: Stateless? Stateful? How? 7 .

g. 8 . established.… or e. RST. …) Source IP address Destination IP address Source/Destination port (socket) Connection state (TCP: SYN. FTP states) (rate control) (filter rules based on time schedule – no streaming before 8 p. TCP.Packet filtering         Introduction   Packet filtering rules mostly based on: IP protocol (UDP.m.) incoming/outgoing interface etc.

Application gateway  Proxies rebuild the whole protocol (application layer gateway)  Needs to know the exact specification of the protocol we use  Can investigate the content of the flow  Can protect against protocol errors  More vulnerable to DoS  Can be more complicated to (internal) users (e.g. telnet proxy)  Lower performance  Higher security 9 Introduction .

10 Introduction .Packet filter vs. so an internal webserver beyond an application gateway can not log who is downloading the page – Modern solutions mix the two methods. Application gateway – Packet filtering without states is insecure – Stateful packet filtering is fast – Stateful packet filtering might not protect against some protocol errors – Application gateways are more sophisticated – Application gateways are (mostly) not transparent.

RST SYN /sbin/iptables -A INPUT -j /sbin/iptables -A INPUT -j ACCEPT -p tcp -d 0/0 -v --dport 23 LOG -p tcp -d 0/0 -v --dport 110 --tcp-flags ACCEPT -p tcp -d 0/0 -v --dport 110 DROP -p tcp -d 0/0 -v --dport 3128 – Checkpoint Firewall – text: :rule-base ("##Standard" :rule ( :src ( : Any ) :dst ( : Any ) :services ( : Any ) :action ( : (accept :type (accept) :color ("Dark green") :macro (RECORD_CONN) :icon-name (icon-accept) :text-rid (61463) :windows-color (green) ) Introduction ) 11 – Graphical tools / ruleset generators help .ACK.example – Linux iptables: /sbin/iptables -A INPUT -j /sbin/iptables -A INPUT -j SYN.FIN.Rule sets .

Architecture / Basic router Internet firewall „filters the traffic” it can be a dual-homed gateway or a simple packet filter – screening router Architecture Internal network 12 .

g.Elements Dual-homed gateway single-homed gateway gateway: application level border element. e.: proxy server Architecture Internal network 13 .

Packet filter only – screening router router Internet packet filter Can be a single screening router Architecture Internal network 14 .

Packet filter with bastion host router Internet packet filter Bastion host. here: a dual-homed gateway == proxy server == application level firewall Architecture Internal network 15 .

Packet filter with bastion host router Internet packet filter Bastion host. here: a proxy firewall internal packet filter Architecture Internal network 16 .

here: a proxy firewall ? Mail server internal packet filter DMZ De-Militarized Zone Web server Architecture Internal network 17 . DMZ. internal pf router Internet packet filter many different topologies can be considered Bastion host.Packet filter with bastion host.

Ease of use .Windows.No.Price Firewall . of interfaces . propriaty OS . Solaris. application proxy) .Hardened operating system .Authentication methods .Working method (stateful inspection.With or without hardware .products 18 .Maximum traffic .Platform and other parameters . Linux.

network sharing. Gauntlet) – Zorp (Balabit) – NAI Firewall (Gauntlet->Secure Co) Firewall . ) – Checkpoint Firewall (FW-1) Linux. … 19 . netfilter packet filtering – Windows internal port filtering ( and IPSEC (policies).Commercial & free products – Iptables. routing. etc.Raptor ) – Secure Computing Sidewinder (incl.products – Evaluation: ICSA. Common Criteria. Windows. Nokia – Cisco PIX – Symantec Enterprise Firewall ( <.

no security settings) – Attacked clients might become zombies for a DoS attack or a relay for spams and other attacks – They need some protection – Personal firewalls are mostly simple packet filters – Drop incoming service requests (my windows pc is not a file server) – Alert on (anomalous) outgoing requests – Can protect against trojans / information leakage / privacy problems too – Can be integrated with virus protection 20 Personal firewalls . bad passwords.Personal firewalls – Every single host on the Internet is a target – Most users do not use tight security (no updates.

promiscuous mode network card on a dedicated host) IDS 21 . or anomalous activity misuse detection != intrusion detection Host-based: operates on a (single) host Network-based: operates on network data flows (e. incorrect.g.Intrusion detection systems – Intrusion detection: detecting inappropriate.

Signature Detection Active vs. Network-based Statistical vs. Userspace Distributed vs. Retroactive Flat vs. Passive Proactive vs.IDS Categories        In-Kernel vs. Atomic Host-based vs. Hierarchial (Justin Lundy) IDS 22 .

rootkits  Version (and critical security hole) checking  Checking for invalid www request URLs in web server’s log files  Personal firewall?  … IDS 23 .Host-based IDS  Checking log files for traces of attacks  Checking the condition of processes  Looking for anomalies of the authentication system ( Why is X logging in from Thailand? Why is Z logging in during the weekend?)  Checking the fingerprints of the installed binaries (Operating system integrity)  Checking for malicious user code – possible hacker tools.

Usual attacks possess some kind of signature that identifies them – problem: large number of possible signatures – high traffic rate (~GBps lines) – large number of dropped packets – less accurate result – problem: signatures has to be known. Regular updates needed and much work to generate “good” signatures – problem: polymorphic attack: One might change the attack scenario so that the signature will not match 24 .Network based IDS  On a single network element (near the firewall) or can be distributed: more agents are distributed on the network and a central server makes the decision  Problem: Encrypted traffic cannot be analyzed (traffic analysis. timing only)  Signature filters: looks for various signatures.

what is the origin. it needs much work.Anomaly detection  Mostly on statistical basis  Detects statistically exceptional events  Learning: Watching activity during ‘normal’ state and storing patterns (who logs in.)  Experience shows that 90% of attacks can be considered as protocol usage anomalies.  A non-RFC compilant client is not always an attacker – we need flexibility 25 . when. such as RFC compilant state machines. etc.  Does not require signatures (except what it learns)  We should carefully add knowledge about “normal” activity.

CIDF – Model: Common Intrusion Detection Framework intrusion detection components can be reused in other systems interface & communication protocols – Architecture • • • • Event generators (colloquially "E-boxes") Event analyzers ("A-boxes") Event databases ("D-boxes") Response units ("R-boxes") IDS 26 .

Sign up to vote on this title
UsefulNot useful